Mike on Security

Create a PMD and a FindBugs Configuration as a Reusable Configuration Resource jar File

As with the Checkstyle configuration, it is often useful in centralized build environments to bundle the PMD rules into a dedicated jar file. The benefits of centralizing the FindBugs excludes file are, in my opinion, somewhat limited. While establishing a centralized set of Checkstyle and PMD rules often makes a lot of sense, the files to exclude from a FindBugs scan often depend on the sources of a particular project at hand, and are seldom generic enough to justify centralization.

The mechanism for creating a configuration resource artifact for PMD and FindBugs is very similar to the process used for Checkstyle: Create a new Maven project and store the PMD configuration file (e.g. pmd-rules.xml) and the FindBugs excludes file (e.g. findbugs-excludes.xml) in the src/main/resources folder. As with Checkstyle, there is no need to configure the PMD of FindBugs plugin for this Maven project. Once you have created the artifact, perform an “mvn deploy” and push the (versioned) artifact to a repository server.